Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Wednesday, October 14, 2009

Infosec is Rotten

You know what I just noticed? We are a really, really nasty group of people. InfoSec has gone from being an unruly pirate mob where everyone's just happy to be hacking away at something, welcoming new faces to just being plain nasty. Exclusion of anyone who doesn't think like us, nastiness to anyone who will admit to being "new" and other sorts of anti-social behavior are going to ruin this industry if it's not too late already. I've been reading blogs, mailing lists, and such for as long as some of them have been around and I have seen the de-evolution and it's gotten to a point where I can't take it anymore.

Jump on a mailing list, read a blog comment roll, or Twitter and you're bound to find people just flat out being nasty ... I just can't take it anymore. Looking at the ugliness that's visible from space, here's just some of the things that I've observed and learned (in no particular order) ...

If you're new, and you dare state that in a post/comment you will be flamed by the "super-senior-jackass-know-it-all" ... guaranteed. Never admit you're "new to security"...

Pursuant to above... Apparently newcomers are not welcome in security anymore

There are cliques, just like on the playground in grade school, made up of people whom are too stupid to think for themselves and feel like they need to attack others who aren't like them ... I think we call those gangs in real-life.

There are experts who teach and "experts" who would rather horde the information and call you stupid ... know to see that distinction

Most mailing lists are at very least civil, Full-Disclosure is not one of them

There are certain people who just need to change their name because they've managed to piss off everyone in the industry, ahem

A few particularly big smart-asses like to hijack your blog post by starting a war in the comments section. Those are called comment-trolls and should be moderated out.

There are actually people for whom the Mac vs. PC vs. Linux war never died ... they're like religious fanatics only worse because you can't just slam the door in their face

No one with a legitimate column in a "real publication" has any idea what they're talking about because they're too busy trying to be politically correct or pandering to the company paying them to blog/write ... so sad

It's safe to assume that most industry analysts working for large companies of that nature are bought and paid for to speak a certain opinion ... let's just let it go

So there you go. We're a nasty group but let's not paint it all black ... there are plenty amongst us who are willing to teach, take in new recruits and would love to sit down and talk with just about anyone. I shouldn't paint the whole industry this way ... but if you're just looking around it's easy to find this infighting and the problem is that it kills the types of things that would ordinarily flourish like exchanges of ideas, new thinking and creativity.

Let me say also that if you've got an idea and someone wants to tell you that your approach is wrong, listen to them. Maybe they're right, maybe not - but in the end if you have two opposing viewpoints you can only become more intelligent by understanding both of them!

Anyway ... I just couldn't let it go anymore so ... let 'em fly.

------Quick clarification: For the one on people with a legitimate column in a "real publication" ... think about all those "columnists" who wrote about how the SideKick issue was a great example of "cloud failure". Forget that it has as much do with "Cloud" as Darwin did to the Enlightenment - it was a matter of journalists writing blindly to try and attract people who then read their crap and highly broken group-think emerges. If you're a journalist you have a responsibility to triple-check your facts, make damn-sure you know what you're talking about and for Heaven's sake ... when in doubt ask Hoff (on Cloud stuff) ... Anyway - that's what I was pointing out specifically.

10 comments:

Anonymous
said...

I have been in the security industry for about a year and completely agree with your statements. I really enjoy learning about security but have found it extremely hard to find a mentor or anyone that is willing to share any of their security experience. I also find it difficult to ask for help because it would label me a scriptkiddie/n00b. Earning my stripes appears to be a road I must travel alone.

"No one with a legitimate column in a "real publication" has any idea what they're talking about because they're too busy trying to be politically correct or pandering to the company paying them to blog/write ... so sad"

I'm crushed here...You mean some of us right? Not all of us?

Cause if I'm missing out on some vendor cash can you let me know? I've yet to be offered this (often mentioned recently) vendor paid writing gig... ;-)

As for the PC writing...eh yes and no. I have to stay as close to the middle as I can, but at the same time, I tend to care little about what others think when I write my editorials.

Then again, we're still small, so maybe thats why I see things different from my end. We don't have a corp sponsor.

As for the cliques, and anti-newbie feeling. I have to agree here.

I miss the mid-90's where newbies were to be taken under the wing and taught by not giving them answers but by constantly pointing them in a stable direction. Then again, I also miss the alt.* groups too for that same reason.

Great post! It's sad that people can't be the real. There's a persona that many InfoSec communitiy members feel they must live up to. So many have to put on a renegade black hat persona on the Internet and conferences. This leads a lot of new people thinking that InfoSec only consists of hacking something and being a jerk.

I also see a lot of people just trying to be famous and get paid. I don't see a lot of passion to share information just to enlighten others.

"No one with a legitimate column in a "real publication" has any idea what they're talking about because they're too busy trying to be politically correct or pandering to the company paying them to blog/write ... so sad"

I have to disagree with this one - maybe I'm just lucky, but in defence of those column writing people everyone I've ever met / dealt with has always taken a great deal of care and effort to be as accurate as possible and help get a particular problem shut down in the act of covering something.

However, the "noobs aren't welcome" thing is spot on. I see this everywhere, from mailing lists to forums and it keeps getting worse.

For the record, I'd happily teach a noob, assuming I thought I had anything worth teaching them.

@Anonymous - Failure of "remote data storage" doesn't necessarily mean it was a "Cloud" service. Cloud is more concept in the way that infrastructure, platforms, and applications are delivered. Based off of everything I've been able to find (and discourse on the Twitter, the 'net, etc) the Danger/Microsoft failure for SideKick users was due to a backup failure (someone even suggested they stored backups on the same machine(s), different disk(s) ... but at any rate that wouldn't qualify it as a "Cloud" service! Just because it's remote, or a service doesn't make it cloud.

If you're truly interested in hearing more on Cloud Computing I advise reading more on the Cloud Security Alliance pages (http://www.cloudsecurityalliance.org/).

A comment to Steve -- in the mid-90s, the security "scene" was as least as vicious as it is today. Unless you knew the right folks, you risked your personal information and your livelihood just by trying to learn from the "experts". Anyone who remembers #efnet from ~95-99 can attest to this. Entire countries would be taken offline because some idiot wanted ops in #shells

So here it is, I have been involved in security since I was 12-13 years old, as such I have grown up with a good foundational knowledge. With that said I have 4-5 years of professional experience in the field, and I couldn't disagree with you more. I have always been surrounded by people that want to make me better.... here is why -> I produce. The problem is the security industry has a lot of lackluster, standard Gen Y, people trying to enter it.... A lot of them arent *sure* this is what they love to do. If you don't love infosec, and you cant devote more then 40 hours a week at it, I certainly don't believe you can be successful in the industry. The problem is we don't have a lot of positions that allow us to pick-up junior people... many companies have to fight for every security dollar, and they don't want to build someone from the ground up (I actually prefer to build people from the ground up)... There is a whole series of issues, but I think for those that CANT get involved in security, that means they don't know HOW to get involved in security...

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.